Ontario’s Information and Privacy Commissioner Ann Cavoukian has harsh words for those not making privacy a priority — namely Facebook and public organizations in Ontario that neglected to encrypt sensitive data.
Facebook failed to put privacy first with its recent changes to the popular social networking site, she says. Many angry Facebook users called the commissioner’s office to complain that the default for many of their privacy settings was set to be public in mid-December.
“I had no idea why they did it that way,” Cavoukian says. “Whatever my previous settings were, that’s what I want.”
The federal Privacy Commissioner’s office also received such complaints, one of which prompted it to launch its second probe into Facebook.
Last July, Canada’s Privacy Commissioner, Jennifer Stoddard, released findings of the initial probe that found Facebook was not in compliance with Canadian privacy legislation.
Read related story
But recent changes aren’t going in the right direction, says a statement from Elizabeth Denham, Assistant Privacy Commissioner.
“Some Facebook users are disappointed by certain changed being made to the site,” the release states. “Changes that were supposed to strengthen their privacy and the protection of their personal information.”
The federal office had no further comment.
Facebook’s privacy changes prompted all 350 million users to revisit their privacy settings in mid-December. New information was made public by default: a user’s name and profile picture, gender, city, networks, and friends list. Facebook later removed the friend’s list from publicly available information after many users complained.
Cavoukian, who has worked with Facebook in the past, supports the new investigation. She is also concerned with recent controversial comments made by Facebook founder Mark Zuckerberg. Earlier this month, he told a public audience that current social norms were shifting and people were more comfortable with sharing information.
“We’re social animals,” she says. “Of course people want privacy, and of course they want to connect. We want both.”
Facebook has made several changes in keeping with its promises to the federal Privacy Commissioner’s office. It made a clearer distinction between deactivating and deleting an account, and it further explained the treatment of accounts for deceased users.
It has a deadline of Sept. 1 to meet all of the recommendations of the report.
Ontarians at risk after data breaches
December 2009 saw a combined 92,000 records exposed containing personal information of Ontarians.
The Durham Region Health Department lost 83,500 records on an unencrypted USB key. It contained data from those who attended H1N1 and seasonal flu vaccination clinics from Oct. 23 to Dec. 15. It was thought to have been lost at the clinic’s property.
The Ontario Teachers Insurance Plan had several laptops stolen Dec. 3, containing the data of 8,600 teachers. Personal information such as Social Insurance Numbers was included in the data. The laptops were password protected, but not encrypted.
That’s not acceptable, Cavoukian says. There have been too many data breaches to keep making the same mistake.
“You have to get very serious and really no longer take a gentle approach,” she says. “It’s ridiculous. It’s completely unacceptable.”
After a data breach involving Sick Kids Hospital in Toronto three years ago, Cavoukian issued an order requiring encryption of all health information put on a mobile device. Now it’s the standard for compliance.
“The human error doesn’t relate to lack of encryption,” the commissioner says. “That’s neglect.”
Cavoukian spoke with ITBusiness.ca at a privacy conference she hosted in Toronto, to mark International Data Privacy Day.
Premier Dalton McGuinty appeared at the conference to make some brief remarks. Despite the recent data breaches, he stood behind the Province’s record.
“Ontario government has some of the strictest privacy protections in the world,” he says. “Especially [relating to] health records.”
Follow Brian Jackson on Twitter.